#3041: imap fetch segfault Comment (by brendan):
558 if (h && h->active && h->index+1 == msgno) Hmm, h must be neither NULL nor a valid header. That is certainly troubling. Usually the header array is preallocated and zeroed before headers are fetched into it, but there may be some lazy allocation in the read_headers function when a mailbox is first opened that is getting tripped up on this. You are right that the code should be refactored and shared instead of duplicated. The current situation is a result of the somewhat lazy way the original author of the header cache added IMAP support (which is improving over time, but slowly). I think you may also be right that a malicious server could cause a buffer overflow by using a too-large SID. This should be checked as soon as possible! But I don't think that temporary NULL pointers in ctx->hdrs should generally be a problem. As you report, the arrival of flag updates BEFORE any header information at all has been supplied is probably the culprit - flag updates are handled in cmd outside of the header fetching code. The proper, but somewhat large, fix would be to move header parsing into cmd too. But I'm sure we can come up with a simpler, uglier band-aid :) -- Ticket URL: <http://dev.mutt.org/trac/ticket/3041#comment:2>
